The best security strategy: Low expectations

By William Jackson

Mar 17, 2009

Members of a panel of security experts today painted a gloomy picture of the cybersecurity landscape, in which rapidly evolving threats and conditions ensure that even the best solutions are likely to remain piecemeal and temporary.

Security efforts should focus on assessing and managing risk to information, members of the panel of industry and government officials said, and baseline security requirements mandated by government cannot be expected provide adequate security across the board.

“We should go in with our eyes open to the reality that if somebody wants the information, no matter what the baseline, they will get it,” said Wayne Fullerton, solutions and operations director for Cisco Systems Inc.’s U.S. federal organization.

Levels of security need to be assigned to a given piece of information based on its value to the owner and to those who could steal it. After the cost of stealing information drops below its perceived value, “if people really want it, they will get it,” Fullerton said.

And although no one level or policy is practical for securing all data, no one architecture is advisable either, said Bill Vass, president and COO of Sun Microsystems Federal.

“We don’t want to have one consistent architecture everywhere,” Vass said. That would only create a common set of risks.

The panel was presented by the Secure Enterprise Network Consortium, which includes Cisco, Sun Microsystems, CA and Accenture, as well as the Energy Department’s Los Alamos National Laboratory.

Rep. Jeff Miller (R-Fla.), ranking member of the House Armed Services subcommittee on Terrorism and Unconventional Threats and Capabilities, expressed concerns about the threat of cyber warfare in his opening remarks to the panel. Miller represents the panhandle of Florida that includes the Pensacola Naval Air Station and Eglin Air Force Base.

“We are in a cyber war, whether you want to call it a war or not,” he said, citing the millions of daily attacks against Defense Department IT systems. It is difficult to determine the sources and motives for these attacks, but he also cited instances of online attacks against Estonia in 2007 and Georgia last year as illustrations of the “ability to combine cyber attacks with a military objective.”

Miller said DOD must work closely with industry to ensure that national defense IT systems are not compromised at their outset by backdoors and other compromises that could be installed by offshore developers and manufacturers.

Terry Wallace, principal associate director for science, technology and engineering at Los Alamos, said the lab assumes that its systems are compromise, and that its security is imperfect.

“There will always be information loss,” Wallace said, and all systems are contaminated, although how and to what extent is unknown. With these assumptions, Los Alamos must strike a balance between the need to protect information and to enable collaboration on scientific research that is the lab’s stock in trade.

“There isn’t an answer today,” he said. “Our biggest challenge is that we have a lagging response. We’re almost always mitigating something that is no longer a security concern,” taking resources away from the job of anticipating threats.

Another problem that does not seem to be anywhere near a solution is figuring out who is in charge of the government’s IT security. This is a question that frustrates both the government and private sector.

“For us in industry, it looks like a phone book” when trying to determine whom to contact on a given subject, one member of the audience said.

Miller had little comfort to offer on that question. Although a central point of contact would be convenient, he warned that responsibility needs to be distributed so that differing needs of each installation can be addressed.

Jerry Briggs, managing director of Accenture’s federal business, said that rather than a single overseer for IT security in government, what is needed is better cooperation between the executive branch, Congress and industry.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

The Census Bureau hasn't established a time frame for its cloud computing plans, including testing for scalability, security, and privacy protection, as well as determining a budget for cloud services.

Reader comments

Thu, Mar 19, 2009

Rea: Low Exppectations-sounds like the Cyber community is where the Physical Security community was about 10 yrs ago. We tried all kinds of elctronic systems and defenses and finally came full circel to putting gaurds (humans) at crtical points of entry and used centric cones of security to guard our most critical assets with a mix of electronics and people. Seems the cyber folks could learn from our mistakes and successes-we finally had to admit that if an adversary was willing to pay the costs in equipment and manpower, most of what we were trying to protect could be exploited. Think about integrating your early warning cyber detection systems (gateways?)with humans/guards, 24X7, 365,so you have a ready, timely response/defense and method of interogating the intrusions we are seing to our systems. I know this is a simplistic approach to a complex problem-the same argument all the "smart" pople used when we we turned things around in the Physical Security world, but the concept may work for Cyber as well?

Please post your comments here. Comments are moderated, so they may not appear immediately
after submitting. We will not post comments that we consider abusive or off-topic.